What is Windows Hello? Windows Hello, according to Microsoft, is a more personal way to authenticate your computer using either your face, fingerprint, or iris. The technology is equipped with the Surface Book, Surface Pro 4, and some PCs. For example, you will hold your head still in front of your computer’s camera and it will match your iris with the iris that the computer has on file for you. If your eye matches, then you are now logged into your computer. The whole reason behind authenticating with biometrics is to eliminate the need for passwords.
Seems like a great idea, right? Wrong. Biometrics provides a false sense of security.
What happens when someone hacks your password? You change it. What happens when someone can replicate your iris? You have a problem.
The Samsung S8 smartphone is equipped with iris scanning instead of a traditional passcode to gain access to the smartphone. Samsung states that the iris scanning provides “airtight security” and is “virtually impossible to replicate.”
The Chaos Computer Club, Europe’s largest association of hackers, wanted to determine how airtight this method really was. A hacker obtained a Samsung S8 smartphone and took a picture of the S8 owner’s eye. After the image printed, a contact lens was placed over the eye on the printed image. The image with the contact lens was held up for the S8 iris scanner to see and the phone was unlocked. Samsung told the BBC it was “aware of the issue”.
Although this may be a study to show how unsafe biometrics are and the S8 owner’s iris was not compromised, what were to happen if the S8 owner’s iris was actually hacked? A person is not able to go have an iris transplant. This is not the first instance of a biometric hack.
In 2014, the Chaos Computer Club took a picture of German Defense Minister Ursula von der Leyen’s fingerprint. The hacker took a picture while she was speaking at an event with a standard camera from about 10 feet away. Using the picture and applying a layer of latex milk or wood glue would create an accurate clone of the thumbprint.
Then again in 2015, the Chaos Computer Club said that finding a high-resolution photo found Google images will be enough to hack an iris scanning authentication method. The hacker stated that the minimum pixel requirement for this is 75 pixels and the printer resolution would need to be 1200 dpi with at least 75% of the iris visible. In other words, all you need is 75% of the actual iris for the hack to occur. High resolutions printers are readily available.
The bottom line is that although people may complain about having to create a complex password, it is the only method to ensure you will not be hacked. With a secure password policy in place, these breaches will be nonexistent. Furthermore, if hacked, you are able to reset your passwords much more easily than having an iris transplant. Biometrics are not safe.